ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Skills Pro

v1.0.0

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express...

0· 68·0 current·0 all-time
by@lvjunjie-byte·duplicate of @robin797860/find-skills-robin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the skill is an instruction-only helper that uses the Skills CLI (npx skills) to find and install other skills. One minor incoherence: the _meta.json ownerId differs from the registry ownerId in the provided metadata, which could indicate packaging or provenance confusion.
!
Instruction Scope
The SKILL.md tells the agent to run npx commands to search and install arbitrary skill packages. That stays within the stated purpose (finding/installing skills) but the examples recommend installing with '-g -y' (global + skip prompts). Skipping prompts and installing globally increases the chance the agent could install code without clear user consent or create system-wide side effects.
!
Install Mechanism
The skill is instruction-only (no install spec), but it instructs use of npx to fetch packages from npm/GitHub. Using npx to pull and run packages is a common pattern for this ecosystem, but it is inherently higher-risk than purely local operations because it executes remote code. The SKILL.md lacks guidance to vet packages before installing.
Credentials
The skill does not request environment variables, credentials, or config paths. No secret access is required by the skill itself.
Persistence & Privilege
The skill itself requests no persistent privileges (always:false). However, its recommended actions (global installs of third-party skills) could install persistent code into the user's environment; consider this when giving permission to proceed.
What to consider before installing
This skill is coherent for finding agent skills, but be careful before letting it install packages for you. npx installs run code fetched from remote sources — verify the package owner and repository before installing. Avoid using '-g -y' unless you explicitly trust the package (global installs and skipping confirmations increase risk). If you want to proceed safely: 1) ask the assistant to show the exact package URL and README first, 2) inspect the repo before installing, 3) prefer local or sandboxed installs, and 4) do not grant broad automated install permission. Also note the small ownerId mismatch in the metadata — if provenance matters, ask the publisher for clarification.

Like a lobster shell, security has layers — review code before you run it.

clawhubvk97e1xqrq2esbadsm6bg746nbh83d13vdiscoveryvk97e1xqrq2esbadsm6bg746nbh83d13vlatestvk97e1xqrq2esbadsm6bg746nbh83d13v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments